This detection rule identifies the use of Windows Remote Management (WinRM) for remote execution on a host. It is designed to detect potential lateral movement by monitoring incoming network connections using the WinRM protocol, which can be exploited by attackers. The rule specifically analyzes network traffic on ports 5985 and 5986, which are used by WinRM, looking for incoming connections not originating from the localhost. Additionally, it checks for processes initiated by 'winrshost.exe' that are not originating from 'conhost.exe', marking them as potentially suspicious. The rule is written in EQL and targets various indices relevant to Windows events. It highlights the importance of contextual investigation steps to differentiate between legitimate administrative activities and potential threats, and provides guidance on responding to incidents detected through this rule, including isolating affected hosts and revoking suspicious credentials. The guidance emphasizes the need for baseline noise assessment and allows for crafting exceptions to minimize false positives.